Revert "Use configured director cert in bosh-monitor, nats-sync"

This reverts commit 421d34d.

Author: aramprice

src/bosh-director/lib/bosh/director/config_server/auth_http_client.rb

@@ -53,8 +53,12 @@ def auth_retryable
     end
 
     def set_cert_store(ca_cert_path)
-      if ca_cert_path && File.file?(ca_cert_path) && !File.zero?(ca_cert_path)
+      if ca_cert_path && File.exist?(ca_cert_path) && !File.read(ca_cert_path).strip.empty?
         @http.ca_file = ca_cert_path
+      else
+        cert_store = OpenSSL::X509::Store.new
+        cert_store.set_default_paths
+        @http.cert_store = cert_store
       end
     end
   end

src/bosh-director/lib/bosh/director/config_server/uaa_auth_provider.rb

@@ -23,8 +23,12 @@ class UAAToken
     def initialize(client_id, client_secret, uaa_url, ca_cert_path, logger)
       options = {}
 
-      if File.file?(ca_cert_path) && !File.zero?(ca_cert_path)
+      if File.exist?(ca_cert_path) && !File.read(ca_cert_path).strip.empty?
         options[:ssl_ca_file] = ca_cert_path
+      else
+        cert_store = OpenSSL::X509::Store.new
+        cert_store.set_default_paths
+        options[:ssl_cert_store] = cert_store
       end
 
       @uaa_url = uaa_url

src/bosh-director/spec/unit/bosh/director/config_server/auth_http_client_spec.rb

@@ -23,16 +23,21 @@
 
   describe '#initialize' do
     context 'ssl is setup' do
-      shared_examples 'does not configure cert_store' do
+      shared_examples 'cert_store' do
+        store_double = nil
+
         before do
           allow(http_client).to receive(:use_ssl=).with(true)
           allow(http_client).to receive(:verify_mode=).with(OpenSSL::SSL::VERIFY_PEER)
+
+          store_double = instance_double(OpenSSL::X509::Store)
+          allow(store_double).to receive(:set_default_paths)
+          allow(OpenSSL::X509::Store).to receive(:new).and_return(store_double)
         end
 
-        it 'does not set cert_store, falling back to default trust store' do
-          expect(http_client).not_to receive(:cert_store=)
-          expect(http_client).not_to receive(:ca_file=)
-          expect(OpenSSL::X509::Store).not_to receive(:new)
+        it 'uses default cert_store' do
+          expect(http_client).to receive(:cert_store=)
+          expect(store_double).to receive(:set_default_paths)
 
           subject
         end
@@ -43,17 +48,17 @@
           config_server_hash['ca_cert_path'] = nil
         end
 
-        it_behaves_like 'does not configure cert_store'
+        it_behaves_like 'cert_store'
       end
 
       context 'ca_cert file exists and is empty' do
         before do
           config_server_hash['ca_cert_path'] = '/root/cert.crt'
-          allow(File).to receive(:file?).with('/root/cert.crt').and_return(true)
-          allow(File).to receive(:zero?).with('/root/cert.crt').and_return(true)
+          allow(File).to receive(:exist?).and_return(true)
+          allow(File).to receive(:read).and_return('')
         end
 
-        it_behaves_like 'does not configure cert_store'
+        it_behaves_like 'cert_store'
       end
     end
   end
@@ -62,6 +67,7 @@
     before do
       allow(http_client).to receive(:use_ssl=).with(true)
       allow(http_client).to receive(:verify_mode=).with(OpenSSL::SSL::VERIFY_PEER)
+      allow(http_client).to receive(:cert_store=)
     end
 
     it 'should add "Authorization" header and call through to actual http client' do
@@ -91,6 +97,7 @@
     before do
       allow(http_client).to receive(:use_ssl=).with(true)
       allow(http_client).to receive(:verify_mode=).with(OpenSSL::SSL::VERIFY_PEER)
+      allow(http_client).to receive(:cert_store=)
     end
 
     it 'should add "Authorization" header and call through to actual http client' do

src/bosh-director/spec/unit/bosh/director/config_server/uaa_auth_provider_spec.rb

@@ -23,8 +23,8 @@
   let(:expiration_time) { Time.now.to_i + 3600 }
 
   before do
-    allow(File).to receive(:file?).with('fake-ca-cert-path').and_return(true)
-    allow(File).to receive(:zero?).with('fake-ca-cert-path').and_return(false)
+    allow(File).to receive(:exist?).with('fake-ca-cert-path').and_return(true)
+    allow(File).to receive(:read).with('fake-ca-cert-path').and_return('test')
 
     allow(CF::UAA::TokenIssuer).to receive(:new).with(
       uaa_url, 'fake-client', 'fake-client-secret', { :ssl_ca_file => 'fake-ca-cert-path' }

src/bosh-monitor/lib/bosh/monitor.rb

@@ -19,7 +19,6 @@ module Monitor
 
 # Helpers
 require 'bosh/monitor/yaml_helper'
-require 'bosh/monitor/ssl_helpers'
 
 # Basic blocks
 require 'bosh/monitor/agent'

src/bosh-monitor/lib/bosh/monitor/auth_provider.rb

@@ -32,15 +32,17 @@ def uaa_token_header(uaa_url)
   end
 
   class UAAToken
-    include Bosh::Monitor::SSLHelpers
-
     EXPIRATION_DEADLINE_IN_SECONDS = 60
 
     def initialize(client_id, client_secret, uaa_url, ca_cert_file_path, logger)
       options = {}
 
-      if configured_ca_cert?(ca_cert_file_path.to_s)
-        options[:ssl_ca_file] = ca_cert_file_path.to_s
+      if File.exist?(ca_cert_file_path) && !File.read(ca_cert_file_path).strip.empty?
+        options[:ssl_ca_file] = ca_cert_file_path
+      else
+        cert_store = OpenSSL::X509::Store.new
+        cert_store.set_default_paths
+        options[:ssl_cert_store] = cert_store
       end
 
       @uaa_token_issuer = CF::UAA::TokenIssuer.new(

src/bosh-monitor/lib/bosh/monitor/director.rb

@@ -1,10 +1,7 @@
 require 'async/http/internet/instance'
-require 'openssl'
 
 module Bosh::Monitor
   class Director
-    include SSLHelpers
-
     def initialize(options, logger)
       @options = options
       @logger = logger
@@ -57,13 +54,9 @@ def perform_request(method, request_path, options = {})
       headers = {}
       headers['authorization'] = auth_provider.auth_header unless options.fetch(:no_login, false)
 
-      async_endpoint =
-        if parsed_endpoint.scheme == 'https'
-          ssl_context = ssl_context_for_peer_verification(@options['ca_cert'].to_s)
-          Async::HTTP::Endpoint.parse(parsed_endpoint.to_s, ssl_context: ssl_context)
-        else
-          Async::HTTP::Endpoint.parse(parsed_endpoint.to_s)
-        end
+      ssl_context = OpenSSL::SSL::SSLContext.new
+      ssl_context.set_params(verify_mode: OpenSSL::SSL::VERIFY_NONE)
+      async_endpoint = Async::HTTP::Endpoint.parse(parsed_endpoint.to_s, ssl_context: ssl_context)
       response = Async::HTTP::Internet.send(method.to_sym, async_endpoint, headers)
 
       body   = response.read
@@ -81,7 +74,7 @@ def perform_request(method, request_path, options = {})
     def info
       body, status = perform_request(:get, '/info', no_login: true)
 
-      raise DirectorError, "Cannot get status from director at #{endpoint}/info: #{status} #{body}" if status != 200
+      raise DirectorError, "Cannot get status from director at #{http.req.uri}: #{status} #{body}" if status != 200
 
       parse_json(body, Hash)
     end

src/bosh-monitor/lib/bosh/monitor/plugins/event_logger.rb

@@ -65,7 +65,7 @@ def process(alert)
 
         request[:proxy] = options['http_proxy'] if options['http_proxy']
 
-        send_http_post_request(@url.to_s, request, @director_options['ca_cert'])
+        send_http_post_request(@url.to_s, request)
       end
 
       private
@@ -79,7 +79,7 @@ def director_info
 
         director_info_url = @url.dup
         director_info_url.path = '/info'
-        body, status = send_http_get_request_synchronous(director_info_url.to_s, @director_options['ca_cert'])
+        body, status = send_http_get_request_synchronous(director_info_url.to_s)
         return nil if status != 200
 
         @director_info = JSON.parse(body)

src/bosh-monitor/lib/bosh/monitor/plugins/http_request_helper.rb

@@ -2,53 +2,36 @@
 require 'async/http/internet/instance'
 require 'async/http/proxy'
 require 'net/http'
-require 'openssl'
 
 module Bosh::Monitor::Plugins
   module HttpRequestHelper
-    include Bosh::Monitor::SSLHelpers
-
-    def send_http_put_request(uri, request, ca_cert = nil)
+    def send_http_put_request(uri, request)
       logger.debug("sending HTTP PUT to: #{uri}")
-      process_async_http_request(
-        method: :put,
-        uri: uri,
-        headers: request.fetch(:head, {}),
-        body: request.fetch(:body, nil),
-        proxy: request.fetch(:proxy, nil),
-        ca_cert: ca_cert,
-      )
+      process_async_http_request(method: :put, uri: uri, headers: request.fetch(:head, {}), body: request.fetch(:body, nil), proxy: request.fetch(:proxy, nil))
     end
 
-    def send_http_post_request(uri, request, ca_cert = nil)
+    def send_http_post_request(uri, request)
       logger.debug("sending HTTP POST to: #{uri}")
-      process_async_http_request(
-        method: :post,
-        uri: uri,
-        headers: request.fetch(:head, {}),
-        body: request.fetch(:body, nil),
-        proxy: request.fetch(:proxy, nil),
-        ca_cert: ca_cert,
-      )
+      process_async_http_request(method: :post, uri: uri, headers: request.fetch(:head, {}), body: request.fetch(:body, nil), proxy: request.fetch(:proxy, nil))
     end
 
-    def send_http_get_request_synchronous(uri, ca_cert = nil, headers = nil)
+    def send_http_get_request_synchronous(uri, headers = nil)
       parsed_uri = URI.parse(uri.to_s)
 
       # we are interested in response, so send sync request
       logger.debug("Sending GET request to #{parsed_uri}")
 
-      net_http = sync_client(parsed_uri, ca_cert)
+      net_http = sync_client(parsed_uri, OpenSSL::SSL::VERIFY_NONE)
 
       response = net_http.get(parsed_uri.request_uri, headers)
 
       [response.body, response.code.to_i]
     end
 
-    def send_http_post_request_synchronous_with_tls_verify_peer(uri, request, ca_cert = nil)
+    def send_http_post_request_synchronous_with_tls_verify_peer(uri, request)
       parsed_uri = URI.parse(uri.to_s)
 
-      net_http = sync_client(parsed_uri, ca_cert, request.fetch(:proxy, nil))
+      net_http = sync_client(parsed_uri, OpenSSL::SSL::VERIFY_PEER)
 
       response = net_http.post(parsed_uri.request_uri, request[:body])
 
@@ -57,40 +40,27 @@ def send_http_post_request_synchronous_with_tls_verify_peer(uri, request, ca_cer
 
     private
 
-    def resolved_proxy_uri(parsed_uri, explicit_proxy_string)
-      explicit = explicit_proxy_string.to_s.strip
-      return URI.parse(explicit) unless explicit.empty?
-
-      parsed_uri.find_proxy
-    end
-
-    def sync_client(parsed_uri, ca_cert, explicit_proxy = nil)
+    def sync_client(parsed_uri, ssl_verify_mode)
       net_http = Net::HTTP.new(parsed_uri.host, parsed_uri.port)
-      if parsed_uri.scheme == 'https'
-        net_http.use_ssl = true
-        configure_net_http_tls!(net_http, ca_cert)
-      end
-
-      unless (proxy_uri = resolved_proxy_uri(parsed_uri, explicit_proxy)).nil?
-        net_http.proxy_address = proxy_uri.host
-        net_http.proxy_port = proxy_uri.port
-        net_http.proxy_user = proxy_uri.user
-        net_http.proxy_pass = proxy_uri.password
+      net_http.use_ssl = (parsed_uri.scheme == 'https')
+      net_http.verify_mode = ssl_verify_mode
+
+      env_proxy = parsed_uri.find_proxy
+      unless env_proxy.nil?
+        net_http.proxy_address = env_proxy.host
+        net_http.proxy_port = env_proxy.port
+        net_http.proxy_user = env_proxy.user
+        net_http.proxy_pass = env_proxy.password
       end
 
       net_http
     end
 
-    def configure_net_http_tls!(net_http, ca_cert_path)
-      net_http.verify_mode = OpenSSL::SSL::VERIFY_PEER
-      net_http.ca_file = ca_cert_path.to_s if configured_ca_cert?(ca_cert_path)
-    end
-
-    def process_async_http_request(method:, uri:, headers: {}, body: nil, proxy: nil, ca_cert: nil)
+    def process_async_http_request(method:, uri:, headers: {}, body: nil, proxy: nil)
       name = self.class.name
       started = Time.now
 
-      endpoint = create_async_endpoint(uri: uri, proxy: proxy, ca_cert: ca_cert)
+      endpoint = create_async_endpoint(uri: uri, proxy: proxy)
       response = Async::HTTP::Internet.send(method, endpoint, headers, body)
 
       # Explicitly read the response stream to ensure the connection fully closes
@@ -105,19 +75,17 @@ def process_async_http_request(method:, uri:, headers: {}, body: nil, proxy: nil
       response.close if response
     end
 
-    def create_async_endpoint(uri:, proxy:, ca_cert: nil)
+    def create_async_endpoint(uri:, proxy:)
       parsed_uri = URI.parse(uri.to_s)
+      env_proxy = parsed_uri.find_proxy
 
-      endpoint =
-        if parsed_uri.scheme == 'https'
-          ssl_context = ssl_context_for_peer_verification(ca_cert)
-          Async::HTTP::Endpoint.parse(uri.to_s, ssl_context: ssl_context)
-        else
-          Async::HTTP::Endpoint.parse(uri.to_s)
-        end
+      ssl_context = OpenSSL::SSL::SSLContext.new
+      ssl_context.set_params(verify_mode: OpenSSL::SSL::VERIFY_NONE)
+      endpoint = Async::HTTP::Endpoint.parse(uri).with(ssl_context: ssl_context)
 
-      unless (proxy_uri = resolved_proxy_uri(parsed_uri, proxy)).nil?
-        client = Async::HTTP::Client.new(Async::HTTP::Endpoint.parse(proxy_uri.to_s))
+      if proxy || env_proxy
+        proxy_uri = proxy || "http://#{env_proxy.host}:#{env_proxy.port}"
+        client = Async::HTTP::Client.new(Async::HTTP::Endpoint.parse(proxy_uri))
         proxy = Async::HTTP::Proxy.new(client, "#{parsed_uri.host}:#{parsed_uri.port}")
         endpoint = proxy.wrap_endpoint(endpoint)
       end

src/bosh-monitor/lib/bosh/monitor/plugins/resurrector.rb

@@ -86,7 +86,7 @@ def process(alert)
                   title: 'Scan unresponsive VMs',
                   summary: 'Notifying Director to scan instances: '\
                   "#{pretty_str(jobs_to_instances_resurrection_enabled)}; #{state.summary}")
-            send_http_put_request(url.to_s, request, @director_options['ca_cert'])
+            send_http_put_request(url.to_s, request)
           end
 
           unless jobs_to_instances_resurrection_disabled.empty?
@@ -116,7 +116,7 @@ def scan_and_fix_already_queued_or_processing?(deployment_name)
           'Content-Type' => 'application/json',
         }
         url.query = URI.encode_www_form({ deployment: deployment_name, state: 'queued,processing', verbose: 2 })
-        body, status = send_http_get_request_synchronous(url.to_s, @director_options['ca_cert'], headers)
+        body, status = send_http_get_request_synchronous(url.to_s, headers)
 
         # Getting the current tasks may fail. In a situation where the director is already dealing with lots of scan and fix tasks,
         # we may want to postpone adding another one to the queue to give the director time to deal with the currently scheduled tasks.
@@ -142,7 +142,7 @@ def director_info
 
         url = @uri.dup
         url.path = '/info'
-        body, status = send_http_get_request_synchronous(url.to_s, @director_options['ca_cert'])
+        body, status = send_http_get_request_synchronous(url.to_s)
         return nil if status != 200
 
         @director_info = JSON.parse(body)